mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-01 09:32:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fixed CVE-2021-33203 -- Fixed potential path-traversal via admindocs' TemplateDetailView.

Browse source
This commit is contained in:
Florian Apolloner 2021-05-17 11:26:36 +02:00 committed by Carlton Gibson
parent f66ae7a2d5
commit 46572de2e9
5 changed files with 52 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

16
tests/admin_docs/test_views.py
View file

@ -154,6 +154,22 @@ class AdminDocViewTests(TestDataMixin, AdminDocsTestCase):
self.assertEqual(response.status_code, 200)
@unittest.skipUnless(utils.docutils_is_available, 'no docutils installed.')
class AdminDocViewDefaultEngineOnly(TestDataMixin, AdminDocsTestCase):
def setUp(self):
self.client.force_login(self.superuser)
def test_template_detail_path_traversal(self):
cases = ['/etc/passwd', '../passwd']
for fpath in cases:
with self.subTest(path=fpath):
response = self.client.get(
reverse('django-admindocs-templates', args=[fpath]),
)
self.assertEqual(response.status_code, 400)
@override_settings(TEMPLATES=[{
'NAME': 'ONE',
'BACKEND': 'django.template.backends.django.DjangoTemplates',